Olaf Titz <olaf@bigred.inka.de> wrote:>> Loading modules lets potentially untrustworthy code into your trusted>> environment so the modules need checked first. A possible approach is>> to use code signing so the kernel can check that the code really was>> compiled by you.>>Modules operate on _the same_ trust level as the kernel itself. If a>hacker can install a malicious module, he can as well install a>malicious kernel. (I.e. this attack is neither new nor a special Linux >risk, it just makes patching the kernel easier.)>>So it is futile for the kernel to check module integrity - you need a>_higher_ trust level. "Higher trust level than the kernel" implies>media the kernel couldn't physically write to after the attack. I.e.>boot from a floppy and re-install everything from trusted media (CD,>backup tapes), check file signatures against separately stored media,>etc.

I think RPM is usefull here, RPM is able to verify installed files againsttheir origial checksum/signature. One of the basics of security is "provability". To improve security these checks on signature could bedone at regular intervals. All added software should be packed in RPM'stoo. A complete security check can be quite time consuming. The test: "check for all files if they belong to a trusted package" cane be done with RPM too, but maybe it is easier to create a sepearte test for this one. A medium without modification possibilities (like ROM or CD-Rom)or a trusted server should be used to store the signatures or a master signature over the files containing the signatures.